| Author |
Topic: OpenSSL -- OCSP |
|
X509
member
offline  |
| |
| posts: |
28 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
 |
|
|
| OpenSSL -- OCSP |
openSSL Installation
========================
1. Go to https://slproweb.com/products/Win32OpenSSL.html
2. Download: Win64OpenSSL-3_3_1.exe
3. Run Win64OpenSSL-3_3_1.exe to install openSSL in the folder: C:\Program Files\OpenSSL-Win64
4. Add 'C:\\Program Files\OpenSSL-Win64\bin' into evn's path so that openSSL.exe can be located
C:\OpenSSL-Win64>openssl version
OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024)
|
|
|
|
|
|
|
X509
member
offline  |
| |
| posts: |
28 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Configure OCSP Eextension |
Copy C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf to /myCA. Add the following contents:
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
28 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Root CA |
Since root CA is always a Self-Signed certificate. There is no need to going through the CSR and signing processes. All above can be combined as one:
C:\OpenSSL>openssl req -x509 -sha256 -days 3650 -newkey rsa:2048
-keyout myCA/rootCA.key.pem -out myCA/rootCA.crt.pem
-extensions v3_ca -config myCA/openssl.cnf
Display the certificate:
C:\OpenSSL>openssl x509 -in myCA/rootCA.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:b9:8f:08:4f:1f:75:80:1b:49:ff:90:6f:f6:84:65:fb:e9:56:f1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Aug 24 00:47:06 2024 GMT
Not After : Aug 22 00:47:06 2034 GMT
Subject: C=US, O=MyCA, OU=Dev, CN=rootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9b:65:ef:a2:40:5a:7a:8b:a2:fb:33:8b:0e:61:
...
5c:1e:84:aa:84:66:cd:66:2f:d8:02:c2:4a:f4:16:
17:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
48:d6:77:91:3f:60:0b:1f:14:63:90:ae:12:d4:d5:7a:0c:7d:
d3:94:e4:f3:8a:5d:2c:18:03:dd:c7:99:e2:2d:d9:3c:34:5d:
...
a9:21:c9:82
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
28 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Generate a CA-signed certificate -- Any server |
Step 1. Generate private key
C:\OpenSSL>openssl genrsa -aes256 -out myCA/myCompany.com.key.pem 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Step 2. Generate certificate request
C:\OpenSSL>openssl req -new -sha256 -key myCA/myCompany.com.key.pem
-out myCA/myCompany.com.csr.pem
Enter pass phrase for myCA/myCompany.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:myCompany.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Step 3. Sign the CSR
C:\OpenSSL>openssl x509 -req
-in myCA/myCompany.com.csr.pem -CA myCA/rootCA.crt.pem -CAkey myCA/rootCA.key.pem
-out myCA/myCompany.com.crt.pem -days 2400
Certificate request self-signature ok
subject=C=US, CN=myCompany.com
Enter pass phrase for myCA/rootCA.key.pem:
Display/Verify the certificate
C:\OpenSSL>openssl x509 -in myCA/myCompany.com.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:48:d0:c2:7f:9a:84:ce:db:53:8b:c3:5c:14:4f:a7:31:98:fd:22
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Aug 24 01:32:35 2024 GMT
Not After : Mar 21 01:32:35 2031 GMT
Subject: C=US, CN=myCompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:e0:b9:66:07:2d:56:3f:37:89:2e:85:aa:d4:
...
c1:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6A:1D:E7:98:B2:86:F8:CB:24:1E:D2:F5:FA:EC:34:0F:E7:0E:47:63
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
99:aa:d8:67:31:59:4b:4d:57:83:e8:ab:f2:98:1d:64:80:43:
...
66:c3:65:2a
Step 4. Convert Priavte Key and PEM into PKCS12 or JKS keystore
Concatenate all public certificate *.PEM files (intermediate CA) into one PEM file, if any
Then create keystore in PKCS12 format with private key
C:\OpenSSL>openssl pkcs12 -export -inkey myCA/myCompany.com.key.pem
-in myCA/myCompany.com.crt.pem
-name alias_name -out myCA/myServer.p12
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 08/24/2024 12:27:15 AM
Edit
Quote
Report
Profile
Reply